[libvirt-users] Isolate VMs' network
Daniel P. Berrange
berrange at redhat.com
Mon Jun 5 14:04:17 UTC 2017
On Mon, Jun 05, 2017 at 01:58:26PM +0200, Chris wrote:
> All,
>
> I'm trying to setup a network with some virtual machines, that can connect
> to each other and to the internet, but neither to the host nor to other
> VMs.
>
> Is there any preconfigured network filter or best-practice for this setup?
> Of course, I could setup iptables rules on the host, but I'd prefer
> libvirt to handle them.
This can be done with the libvirt nwfilter APIs/commands, which will
automate the create/teardown of ebtables rules at vm start/stop. You
would have to ensure VMs get fixed IP addresses, and then define some
rules that block the VM subnet, except for whitelisted entries, as well
as blocking the host IP, but leaving other stuff open (to allow internet
access).
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvirt-users
mailing list